Despite revision, cybersecurity rules for New York financial sector still have teeth

Other states could follow Empire State's lead with focus on data breach prevention

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

’Twas a few days before Christ­mas 2016, and the bank­ing and insur­ance indus­tries were in a tizzy.

The New York State Depart­ment of Finan­cial Ser­vices was on the verge of spoil­ing the hol­i­days for these ver­ti­cals by imple­ment­ing an unprece­dent­ed set of rules requir­ing finan­cial ser­vices firms to adopt first-class cyber­se­cu­ri­ty poli­cies and practices.

Relat­ed video: New York state shakes up secu­ri­ty paradigm

Respond­ing to eleventh-hour lob­by­ing, NYDFS Super­in­ten­dent Maria T. Vul­lo did con­cede to post­pone imple­men­ta­tion of her agency’s Cyber­se­cu­ri­ty Require­ments for Finan­cial Ser­vices Com­pa­nies by three months—to March 1. And on Dec. 28, Vul­lo released a heav­i­ly revised set of rules, pre­sum­ably aimed at ame­lio­rat­ing indus­try complaints.

How­ev­er, the core of New York’s pio­neer­ing cyber­se­cu­ri­ty rules remains intact. If Vul­lo can actu­al­ly pull off much-need­ed behav­ior change among the finan­cial sec­tor in the Empire State, then oth­er states may be embold­ened to fol­low her lead. Keep in mind these are rules issued by a state agency. State law­mak­ers had lit­tle to do with it.

Third­Cer­tain­ty asked four attor­neys who have been close­ly mon­i­tor­ing this devel­op­ment to sup­ply wider con­text. Weigh­ing in below are Edward J. McAn­drew, of Bal­lard Spahr; Richard Bor­den, of Robin­son & Cole; and Thomas M. Daw­son and Yuliya Feld­man, of Drinker Bid­dle & Reath. (This text has been edit­ed for clar­i­ty and length.)

Third­Cer­tain­ty: What is sig­nif­i­cant about New York stand­ing its ground?

Thomas M. Dawson, Drinker Biddle & Reath attorney
Thomas M. Daw­son, Drinker Bid­dle & Reath attorney

Daw­son: The revised require­ments pro­vide greater flex­i­bil­i­ty, but leave in place a sys­tem that would be the first of its kind. Most cyber­se­cu­ri­ty reg­u­la­tion efforts focus on either pro­vid­ing a vol­un­tary frame­work for eval­u­at­ing cyber­se­cu­ri­ty risks, or pre­scrib­ing reme­di­al efforts after a data breach has occurred. New York seeks to impose com­pre­hen­sive and spe­cif­ic cyber­se­cu­ri­ty require­ments that are focused on pre­vent­ing data breach­es, such as mul­ti-fac­tor authen­ti­ca­tion and encryption.

 McAn­drew: Although it made some sig­nif­i­cant revi­sions, NYDFS retained the over­all frame­work of the reg­u­la­tions. This shows the agency intends for these reg­u­la­tions to have teeth. This requires the cre­ation, imple­men­ta­tion and ongo­ing exe­cu­tion of a full-scale infor­ma­tion secu­ri­ty pro­gram that is proac­tive, risk-based and com­pre­hen­sive. Yet it can also be tai­lored and respon­sive to actu­al cyber inci­dents and the con­stant­ly evolv­ing cyber threat landscape.

3C: What are some key revisions?

Edward J. McAndrew, Ballard Spahr attorney
Edward J. McAn­drew, Bal­lard Spahr attorney

McAn­drew: Three big revi­sions caught my atten­tion. First, the def­i­n­i­tion of what qual­i­fies as “non­pub­lic infor­ma­tion” has been sig­nif­i­cant­ly nar­rowed and now more close­ly tracks the New York data breach noti­fi­ca­tion law. Sec­ond, the reg­u­la­tion gov­ern­ing third-par­ty ser­vice providers has been rewrit­ten to make clear that cov­ered enti­ties will not be required to audit the sys­tems of all third-par­ty ser­vice providers.

And third, the cyber­se­cu­ri­ty event noti­fi­ca­tion oblig­a­tion has been cir­cum­scribed. It only applies where an event trig­gers a noti­fi­ca­tion oblig­a­tion to a gov­ern­men­tal, self-reg­u­la­to­ry or super­vi­so­ry enti­ty, or cre­ates a rea­son­able like­li­hood of mate­ri­al­ly harm­ing any mate­r­i­al part of the cov­ered entity’s nor­mal operations.

Feld­man: The over­all effec­tive date was pushed back to March 1, and extend­ed tran­si­tion­al peri­ods for cer­tain require­ments were intro­duced. How­ev­er, these new dead­lines are still tight. The intro­duc­tion of a risk-based approach now requires two sep­a­rate steps—the risk assess­ment and imple­men­ta­tion of the cyber­se­cu­ri­ty require­ments tak­ing the risk assess­ment con­duct­ed into account. There­fore, cov­ered enti­ties should begin plan­ning soon, if they have not begun to do so already, to give them­selves suf­fi­cient time to come into compliance.

3C: Doesn’t allow­ing a ‘risk-based’ approach give com­pa­nies wig­gle room?

Yuliya Feldman, Drinker Biddle & Reath attorney
Yuliya Feld­man, Drinker Bid­dle & Reath attorney

Feld­man: Com­pa­nies can tai­lor their com­pli­ance to oper­a­tional real­i­ties. As an extreme exam­ple, let’s say that a cov­ered enti­ty han­dled and stored all cus­tomer infor­ma­tion inter­nal­ly and did not con­tract with third-par­ty ser­vice providers. Under a risk-based approach, that firm would not have to estab­lish a third-par­ty secu­ri­ty policy.

In less extreme cas­es, a risk-based approach allows com­pa­nies to more effi­cient­ly allo­cate resources. They can ful­fill those cyber­se­cu­ri­ty require­ments that best address the par­tic­u­lar cyber­se­cu­ri­ty risks that are riski­est for that par­tic­u­lar entity.

Bor­den: This could actu­al­ly increase require­ments. For cov­ered enti­ties with less risk in cer­tain areas, few­er con­trols must be in place. How­ev­er, if sig­nif­i­cant risk is iden­ti­fied in a risk assess­ment, stronger con­trols will be required. Impor­tant­ly, NYDFS has stat­ed that the risk assess­ment is “not intend­ed to per­mit a cost-ben­e­fit analy­sis of accept­able loss­es where an insti­tu­tion is faced with cyber­se­cu­ri­ty risks.”

 The agency’s fun­da­men­tal response, to put it col­lo­qui­al­ly, is “If you don’t like how we did it, then do a risk assess­ment that cov­ers all the top­ics and come up with your own con­trols. But get it right, because in the event of a breach or an audit, you signed on the bot­tom line that you were in compliance.”

3C: Do you expect oth­er states to fol­low New York’s example?

Richard Borden, Robinson & Cole cybersecurity attorney
Richard Bor­den, Robin­son & Cole cyber­se­cu­ri­ty attorney

Bor­den: I have heard that reg­u­la­tors from a num­ber of states are watch­ing this reg­u­la­tion care­ful­ly. Some are con­sid­er­ing broad­er adop­tion than just finan­cial ser­vices com­pa­nies. This could result in a patch­work of reg­u­la­tion that may be dif­fi­cult for mul­ti-state com­pa­nies from a com­pli­ance standpoint.

Daw­son: Oth­er states are def­i­nite­ly watch­ing this. We could see a pos­si­ble balka­niza­tion of cyber­se­cu­ri­ty require­ments that would be in no one’s inter­ests. It will be inter­est­ing to see how the fed­er­al posi­tion devel­ops in a pos­si­ble small-gov­ern­ment era in Wash­ing­ton, D.C.

I’d note, how­ev­er, that in the bank­ing sec­tor, the Fed­er­al Reserve Board, the Fed­er­al Deposit Insur­ance Corp., and the Office of the Comp­trol­ler of the Cur­ren­cy issued an Advanced Notice of Pro­posed Rule­mak­ing on Enhanced Cyber Risk Man­age­ment Stan­dards late in 2016.

More sto­ries relat­ed to cyber­se­cu­ri­ty in the finan­cial sector:
$81 mil­lion cyber heist offers lessons for finan­cial institutions
Small banks, cred­it unions on front lines of cyber­se­cu­ri­ty war


Posted in Cybersecurity, Featured Story